azurepowershellmulti-factor-authenticationnps

Remove expired certificates from Azure Multi-Factor Auth Client (NPS Extension for Azure MFA)

I'm currently looking into how we should remove expired certificates from Azure Multi-Factor Auth Client, and properly cleanup the old certificates with Microsoft Graph PowerShell cmdlets.

Before the MSOnline PowerShell module got deprecated it was possible using,

Remove-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -KeyIds <Insert KeyID here>

I've looked up the corresponding command from Microsoft Graph PowerShell - Find MSOnline cmdlets in Microsoft Graph PowerShell - and found that it should be Remove-MgServicePrincipalKey.

I've tried with the following syntax,

$servicePrincipalId = (Get-MgServicePrincipal -Filter "appid eq '981f26a1-7f43-403b-a875-f8b09b8cd720'").Id

Remove-MgServicePrincipalKey -ServicePrincipalId $servicePrincipalId -KeyId <Insert KeyID here>

That gives me this output,

Remove-MgServicePrincipalKey : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-05-05T13:06:37
...

And when searching on that I've come to that it should be because that Azure Multi-Factor Auth Client is a Microsoft party application, and that a proof or proof-of-possession is needed for it to be possible to remove certificates.

This is here where I get stuck with my knowledge, as I cannot figure out how I should make that proof correctly to be used for this purpose. Does anybody know how that should be done to work with this case?

Solution

  • I believe you need to use -proof nad supply a token signed by one of the current credentialkeys to use add- or remove- for MgServicePrincipalKey.

    I instead used

    Connect-MgGraph -Scopes 'Application.ReadWrite.All'
$sp = Get-MgServicePrincipal -Filter "appid eq '981f26a1-7f43-403b-a875-f8b09b8cd720'"
$servicePrincipalId = $sp.Id
$keyCredentials = sp.KeyCredentials
$newKeyCredentials = $keyCredentials[0,1,4,5] # index of whichever credentials should be kept
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -KeyCredentials $newKeyCredentials

    which just removes your unwanted credentials.

    There is however a bug in the Microsoft.Graph powershell module version 2.27 regarding the Update-MgServicePrincipal command, so if you are on that version you need to downgrade (or upgrade when they fix the bug).
    https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3305